Basic Digital Forensic Investigation Concepts

Brian D. Carrier
June 07, 2006

Concepts

A digital investigation is a process to answer questions about digital states and events. The basic digital investigation process frequenty occurs by all computer users when they, for example, search for a file on their computer. They are trying to answer the question "what is the full address of the file named important.doc?". In general, digital investigations may try to answer questions such as "does file X exist?", "was program Y run?", or "was the user Z account compromised?".

A digital forensic investigation is a special case of a digital investigation where the procedures and techniques that are used will allow the results to be entered into a court of law. For example, an investigation may be started to answer a question about whether or not contraband digital images exist on a computer. An average Microsoft Windows user may be able to answer this question by booting the computer and using the Find Files function, but these results may not be court admissible because steps were not taken to preserve the state of the computer or use trusted tools.

The digital investigation process involves formulating and testing hypotheses about the state of a computer. We must formulate hypotheses because we can not directly observe digital events and states and therefore we do not know facts. We must use tools to observe the state of digital data, which makes them indirect observations. This is similar to being told about something instead of seeing it for yourself. The amount that you believe what you are told is based on how much you trust the person. With digital investigations, the confidence is based on the trust of the hardware and software used to collect and analyze the data. The methods used to formulate and test the hypotheses can make the investigation process a scientific one.

Digital evidence is data that supports or refutes a hypothesis that was formulated during the investigation. This is a general notion of evidence and may include data that may not be court admissible because it was not properly or legally acquired.

General Process

There is no single procedure for conducting an investigation. I find that an intuitive procedure is to apply the same basic phases that are used by police at a physical crime scene, where we instead have a digital crime scene. Note that there are many details that are ignored in the following paragraphs.

The first step is preservation, where we attempt to preserve the crime scene so that the evidence is not lost. In the physical world, yellow tape is wrapped around the scene. In a digital world, we make a copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to ensure that known evidence is copied and preserved.

The second step is to survey the crime scene for the obvious evidence. The "obvious" evidence is the evidence that typically exists with investigations of this type. For example, at a physical crime scene where a violent crime has occurred, then the "obvious" evidence may have blood on it or be damaged. In a digital crime scene, the obvious evidence may be found based on file types, keywords, and other characteristics.

After the obvious evidence has been found, then more exhaustive searches are conducted to start filling in the holes. With each piece of evidence that is found, there could be questions about how it got there. Questions such as "which application created it?" or "what user caused it to be created?". If so, then event reconstruction techniques are needed to determine which application-level event occurred. This is similar to reconstructing where a bullet was shot from.

Digital Forensics vs. Digital Forensic Investigation

I prefer the term digital forensic investigation over digital forensics because the process that is associated with "digital forensics" is much more similar to a physical crime scene investigation than to physical forensics. The "physical forensics" are used to answer a more limited set of questions than a general investigation. Physical forensics is used to "identify" a substance, which determines the class of the substance. For example, a red liquid could be identified as blood or fruit juice. Physical forensics are also used to "individualize" an object, which determines the unique source of an object. For example, blood from a crime scene could be compared with a sample from a suspect to determine if the two blood samples are the same or two bullets could be compared to determine if they were shot from the same gun.

The process to determine how someone compromised a computer and identify what they had access to is much more involved than identification and individualization. It is a process of searching for evidence and then analyzing it. Therefore, I think that digital investigation and digital forensic investigation are more accurate terms.